Analysis
-
max time kernel
128s -
max time network
23s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
20-06-2020 02:23
General
-
Target
goodboy.exe
-
Size
12.1MB
-
MD5
1b22279fe6e9f33894e8a508974cd6b2
-
SHA1
2b8ed32f30f31f374f6daf74a5b2e85aba3368ba
-
SHA256
0910456e5d69a28324c97646aa0c628851323bf7785d641c702a200a6046f0f5
-
SHA512
e9f39a0ce3324c00efe5cfe8ed17471f53fe45c79683c253f3cb6ed5aba38df3d25e4befd8ac7081c40667c820de7fb284f583bc8e1a1db131033fe7344d54a7
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Downloads\README.txt
Ransom Note
Sepertinya Anda terkena Malware Bernama DemonWare
Jangan Khawatir, kami mempunyai Semua file yang kamu punya
DemonWare uses a basic encryption script to lock your files.
This type of ransomware is known as CRYPTO.
You'll need a decryption key in order to unlock your files.
Your files will be deleted when the timer runs out, so you better hurry.
You have 10 hours to find your key
C'mon, be glad I don't ask for payment like other ransomware.
Please visit: https://kontrolservermalwareransomware.com and search for your IP/hostname to get your key.
Kind regards,
Malware Author
URLs
https://kontrolservermalwareransomware.com
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Loads dropped DLL 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
DemonWare
Ransomware first seen in mid-2020.
Processes
-
C:\Users\Admin\AppData\Local\Temp\goodboy.exe"C:\Users\Admin\AppData\Local\Temp\goodboy.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\goodboy.exe"C:\Users\Admin\AppData\Local\Temp\goodboy.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-